BL is very easy to manage, it is harder to recover from. TPM binds the HDD to the hardware if the Mobo goes, then you had better have had backup's of the data on the HDD. TPM is a mixed bag, it offers protection that isn't much of a factor for most of us. Cold-boot and evil-maid attacks are not something you have to worry too much about in most businesses. Gov't and Banking, then maybe, but most of us, not so much.
I'm all for security, but I'd forgo the TPM in favor of recoverability if you do not have your users data backed up, and most people don't. If you don't backup then use PIN-Only.
-rich

You have to remember that BitLocker keys are not protected if You will save it in AD, better solution is using MBAM ( all keys are saved in encrypted SQL database ) and You will get very good support for managing recovery keys and Reset a TPM Lockout, etc, all recovery operation will monitored and audited.

The keys are protected in AD if you run the provided VBS file that sets the ACE's on the schema so that only those designated groups or user can read them from ADhttp://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx#BKMK_1
You do not HAVE to use TPM btw, it can be PIN only, and recovery data can still reside in AD.
I've not used MBAM but it could probably be of use to such a large deployment.
-rich

I'd like to comment on RichRumble's "BL is very easy to manage, it is harder to recover from. TPM binds the HDD to the hardware if the Mobo goes, then you had better have had backup's of the data on the HDD" - No, we can recover the drive on any computer using the recovery key. Reference: FAQ http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_AltPC
On keys in AD: those are protected by default. No script needed. The scripts mentioned are not for this purpose.

thank you for the replies. are there any contras regarding BL then? i saw: "BL is very easy to manage, it is harder to recover from" what does that mean? i have to deliver our management a proof of concept and i want to make sure nothing is missing there. any other concerns?
i understand,that for recovery a device must be logged in the domain,otherwise the recovery key is not available. correct?

That is correct, the recovery keys are only available to certain accounts on the domain. By harder to recover from I was speaking about the process in relation to another product like TrueCrypt, where all you need is the passphrase, failing that the recovery key.
-rich

The keys are protected in AD (when you use AD as the backup for the keys backup) and can only be accessed by certain groups and users. Schema Admins specifically and by default have permissions to read those keys in AD, you can grant others too.
Be sure to read all you can about the process before presenting:http://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx
-rich

->use the recovery key, or, if present (recommended) a "master USB key" that holds a second key to the drive. This is possible.
We can give the users password and key, so that in case they forget one, there's still the other.

Getting the recovery key can be made possible to anyone (each to his own machine) or just to domain admins (/schema admins), which is the default.

You have to read the previously linked article, it's really all there, you can backup the TPM keys in AD as well. The Schema has to be modified (the article tells you how) and then the keys can be stored there.
-rich

After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.

Duke, I participated in your other thread where you describe your disaster with McAfee Encryption. To be honest, I would not blame McAfee, but the guys who did not have a tested recovery concept in the first place.
In order to get a recovery concept for Bitlocker, please look at realistic disaster scenarios. Multiple devices facing TPM lockouts is nowhere next to realistic.

Consider what could go (terribly) wrong on multiple devices at the same time: nothing. At least not if you are not relying on the BL feature netunlock, which you don't have to.
What else? Single devices could fail to start because users forgot their PIN/password/USB key - there, as I mentioned, the recovery key will be handy, think about how it could be provided. But you don't need to fear lockouts if you give them two keys (again, as mentioned before): password and startup key.
What else: hard drive corruption. Always possible, does not need to be looked at if you already have a backup concept.
Anything else? I don't think so.

You have to extend the schema to put the keys in AD, you can use BL without extending the schema, but to backup the keys into an easily accessible location you have to extend the schema. BL and Bl-2-Go work without having to extend, but the ease of backing up the keys to AD cannot be achieve without extending the AD schema.
-rich

one more thing: if the recovery key needs to be "written back into AD" this seems not to be possible without being logged on to the domain. test have püroved that it doesnt work thru VPN either....i see that as a big drawback.

no,not yet. we we will upgrade in about two weeks.
here a some drawbacks regarding BL:

-There are commercially available tools that claim to be able to crack BL
-Anyone with an ADM account can suspend BL or decrypt a drive
(BL allows anyone with local machine administrative rights on the workstation to suspend or disable BL )
-No support for non-TPM enabled machines
-Pre-Boot environment: BL has no No single sign on-right?
-Weaker security
-TPM password doesn’t change
-BL requires TPM version 1.2 or higher-correct?
-Lock Outs: If a user forgets their PIN in BL, after certain number of tries there is a small timeout between repeated attempts. If the TPM believes it is being hammered, it will enter lockout mode. During this time a user can still enter the correct PIN and get in, but the Service Desk will need to be contacted to reset the TPM so it is no longer in lockout mode.Forgotten Windows passwords are handled no differently than if BL was not installed-right?

-in testing the TPM password did not change after repeated uses to reset the TPM. (This may be security concern)
-non-English keyboards are not directly supported

-Recovery: The BL recovery solution requires a call to the Service Desk for a Challenge/Response recovery, or a self-help website. If the recovery is due to a hardware change, the Service Desk will need to remotely connect to the machine to suspend and resume BL so that the user isn’t prompted for a recovery key each time the machine boots

Authorized users / administrators: BL does not assign a specific set of users to a device and does not require the synchronizing of passwords between the local machine and a backend database.

if you have time,I dbe extremely grateful if you could review my concerns and give a statement about it.

McKnife: im sorry,i know its a lot. i picked this up from forums like mcaffee and put them together.but these are the pro/contras which need to be given a look at.

before we deploy BL,a proof of concept must be delivered which shows those points listed above and convinces our management.
being in the business for some time,i know that not everything is accurate what MS promises.therefore i have to list all and make a comparison which "justifies" a product. reardless if its MS,mcaffee or anything else

Ok, we can discuss certain points, but crap like "-Weaker security" should not be discussed. Meaningless, because very generalized. OK, I'll do a quick and dirty commenting which can be refined later:
--
-There are commercially available tools that claim to be able to crack BL - sure, everybody can crack anything in minutes ;-) . Too generalized. Please name those tools and circumstances.
-Anyone with an ADM account can suspend BL or decrypt a drive
(BL allows anyone with local machine administrative rights on the workstation to suspend or disable BL ) - correct. Admins are admins.
-No support for non-TPM enabled machines - what should that mean? We CAN use BL without.
-Pre-Boot environment: BL has no No single sign on-right? -Right
-Weaker security ???
-TPM password doesn’t change - so what? How would anyone break that?
-BL requires TPM version 1.2 or higher-correct? -read the MS technet docu
-Lock Outs: If a user forgets their PIN in BL, after certain number of tries there is a small timeout between repeated attempts. If the TPM believes it is being hammered, it will enter lockout mode. During this time a user can still enter the correct PIN and get in, but the Service Desk will need to be contacted to reset the TPM so it is no longer in lockout mode.Forgotten Windows passwords are handled no differently than if BL was not installed-right? - last one is right. But what about hammering? Why would users try and try and try?

-in testing the TPM password did not change after repeated uses to reset the TPM. (This may be security concern) - please explain in detail
-non-English keyboards are not directly supported - no physical keyboard matter but you need to switch the input keyboard to en-us when entering a password in windows, because the preboot screen uses en-us!

-Recovery: The BL recovery solution requires a call to the Service Desk for a Challenge/Response recovery, or a self-help website. If the recovery is due to a hardware change, the Service Desk will need to remotely connect to the machine to suspend and resume BL so that the user isn’t prompted for a recovery key each time the machine boots - we talked about recovery earlier, everything has been said: give the user a USB key and a password (pw only for win8+), if still on vista/win7, consider providing the recovery key to the end user.

Authorized users / administrators: BL does not assign a specific set of users to a device and does not require the synchronizing of passwords between the local machine and a backend database. - correct.

BL + TPM is security OVERKILL actually. The way to decrypt BL is the same as EVERY product, wait until the user boot's it up, get the decryption key from memory, or issue decryption commands at that time. No product can claim that is not possible because that is the function of the product, it is to give you access to the content, to get access to the content it has to be decrypted. If you read my article, I believe I linked it prior, you can see that Elcomsoft and Passware have BL decryption capabilities, but they rely on the product to be booted, taken out of hibernation or suspension or simlply at the lock-screen. Using firewire (physical access) the products can get access to DMA ram and get the decryption key for PGP, TC, BL and probably others. This is not an attack that drive encryption aims to solve, and it's in fact not an attack you have to worry about. If you can get to RAM you can get to ANYTHING in the machine already with no need to decrypt, just inject a trojan there, the drive is already decrypted because the key is in ram. It's nice an james bond to get the key for use later, but not needed since firewire gets you direct access to RAM.

Try the product out, then come back with problems you have with it, not what others say is a problem. Again like I said in my opening post, BL protects from OFFLINE physical theft of the data when the OS is OFF. It does not protect anything when it is running, suspended or hibernating.
-rich

Small addition:
> It does not protect anything when it is running, suspended or hibernating.It does protect hibernated OS'. BL does, Symantec Encr. desktop does, maybe most or all do. Before resuming, you need to reenter the pw/PIN, re-insert your USB drive.

I suppose I over generalized hibernation... BL can ask for those depending on how you have it setup, other FDE products do not ask or have the option and are able to be decrypted by the two aforementioned products. If BL is set to transparent it is the hibernation is decryptable, also sleeping or suspended modes are still vulnerable even with pin or usb-boot.
-rich

boot order:
It may not be obvious, but the way the TPM secures the encryption keys is by ensuring that the way your system boots up or starts is always the same as it was at the time you enabled BitLocker. This means if you are encrypting your system drive (C:) it is important that you set the boot order so that the Hard Drive is always first

Duke, the way you lead the question gets somewhat exhausting, at least for me. You collected a heap of questions, you got quick'n'dirty answers - now, without any further comment, the next question comes in.
I suggest to read and try for yourself. BL judges the BIOS state, yes. Some changes in the BIOS will lead to BL asking for the recovery key, others won't and you can even configure that using GPOs. But that won't be your main concern for deployment, will it? Do your users change the BIOS settings all day? ;-)

Please ask new, separate questions instead of reviving this thread again and again.

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…

Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message. In the To field, type your recipient's fax number @efaxsend.com.
You can even send a secure international fax — just include t…

In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…